FireEye's False Positive: a Kaspersky Sinkhole

This site may earn affiliate commissions from the links on this page. Terms of use.

Win some, lose some. Earlier today, FireEye blogged about the discovery of Gauss-infected systems trying to connect to old Flame servers. This would have been a bold discovery in the world of cyberespionage crackdowns, except it turns out what FireEye had really stumbled upon was a sinkhole set up by Kaspersky Labs, the folks who first reported on Gauss malware a couple weeks ago.

"After discovering Gauss we started the process of working with several organizations to investigate the command & control (C2) servers with sinkholes. Given Flame's connection with Gauss, the sinkhole process was being organized to monitor both the Flame and Gauss C2 infrastructures. It’s important to note that the Gauss C2 infrastructure is completely different than Flame's. The Gauss C2s were shut down in July by its operators and the servers have been in a dormant state by the operators since then. However, we wanted to monitor any activity on both C2 infrastructures," he wrote.

Hours later, FireEye issued an apologetic update on top of its original blog post, partially blaming a lack of communication within the security industry.

"We apologize for any confusion that has resulted from our earlier assumptions. Unfortunately, the lack of a common information exchange about such activities can result in misleading conclusions," Ali Islam, a lead researcher at FireEye, wrote in a blog post.

But Gostev's statement implies this is no excuse, "With some easy Googling and checking on [domain lookup] WhoIs, researchers could have verified all of this."

To recap, Gauss is a sophisticated cyber-espionage toolkit targeting personal computers in Lebanon, Israel, and Palestine, primarily. It is designed to steal passwords, banking credentials, and browser cookies, and specifically looks for login credentials for Lebanese banks. This clued Kaspersky into believing that Gauss is part of a state-sponsored targeted attack, and likely another weapon, along with Flame, that was sponsored by the Stuxnet operation.

Strike Two? This is allegedly the second time FireEye has misidentified a Kaspersky-laid sinkhole as malware. According to Gostev, a FireEye blog post from late June, in which it traced Flame to Sweden (way outside the known targeted area), was actually about the discovery of another Kaspersky booby trap. FireEye hasn't commented on that incident, however.

Sara Yin is a junior analyst in the Software, Internet, and Networking group at PCmag.com, pouring most of her energy into app testing and security matters at Security Watch with Neil Rubenking. She lies awake at night pondering the state of mobile security (half-true).
Prior to joining PCMag.com, Sara spent five years reporting for publications in New York City (Huffington Post), Hong Kong (South China Morning Post), and Singapore (Campaign Asia, Men's Health).
Follow her on Twitter at @SecurityWatch and @sarapyin, or contact her the...
More »